Add support for Xenial ESM repos to our base roles

This will run the ua tool to attach an UA token and to enable the
esm-infra repos. We also update unattended upgrades to auto pull
security updates from the ESM repos.

Change-Id: Ifb487d12df7b799d5fd2973d56741e0757bc4d4f

playbooks/roles/base/repos/tasks/Debian.yaml

@@ -25,3 +25,25 @@
     src: 'sources.list.{{ ansible_facts.lsb.codename }}.{{ ansible_facts.architecture }}'
     dest: /etc/apt/sources.list
   notify: Update apt cache
+
+- name: Configure Ubuntu ESM
+  block:
+    # Note technically this requires ubuntu-advantage-tools to be installed
+    # but the above notify to update apt caches won't have run by the time
+    # we get here. That should be ok because the Xenial nodes have all been
+    # around long enough to have ua installed.
+    - name: Get UA status
+      command: "ua status"
+      register: uastatus
+    - name: Attach UA
+      command: "ua attach --no-auto-enable {{ ubuntu_advantage_token }}"
+      when: "'This machine is not attached to a UA subscription.' in uastatus.stdout"
+      no_log: true
+    - name: Enable ESM
+      command: "ua enable esm-infra"
+      when: "'esm-infra     yes                enabled' not in uastatus.stdout"
+  when:
+    - ubuntu_advantage_token is defined
+    - enable_ubuntu_esm is defined and enable_ubuntu_esm
+    - ansible_distribution == 'Ubuntu'
+    - ansible_distribution_release == 'xenial'

playbooks/roles/base/server/files/50unattended-upgrades

@@ -5,6 +5,7 @@ Unattended-Upgrade::Allowed-Origins {
     "${distro_id} ${distro_codename}-security";
     "${distro_id} ${distro_codename}-updates";
 //  "${distro_id} ${distro_codename}-proposed-updates";
+    "${distro_id}ESM ${distro_codename}-infra-security";
 };
 
 // List of packages to not update